Skip to content

Insecure class load in AggregateCrudMapping #126

New issue
New issue
Open
Open
Insecure class load in AggregateCrudMapping#126
@zero-fp

Description

@zero-fp
zero-fp
opened on Apr 9, 2025

Bug explanation

Code in method com.networknt.eventuate.common.impl.AggregateCrudMapping.toEvent(EventIdTypeAndData) passes unfiltered parameter to java.lang.Class.forName method. Possible attacker can find a class in application classpath, that executes any Java code in constructor or static initialization block, and load this class. It can harm an application, do denial of service and other impact.

light-eventuate-4j/eventuate-common/src/main/java/com/networknt/eventuate/common/impl/AggregateCrudMapping.java

Line 55 in 9b6cf59

return JSonMapper.fromJson(eventIdTypeAndData.getEventData(), (Class<Event>) Class.forName(eventIdTypeAndData.getEventType()));

Please refer CWE-494, CWE-470 for more information about class load vulnerability.

Bug fix

Restrict second argument of JSonMapper.fromJson to be class only from com.networknt.* namespace.

light-eventuate-4j/eventuate-common/src/main/java/com/networknt/eventuate/common/impl/AggregateCrudMapping.java

Line 46 in 9b6cf59

return (Snapshot)JSonMapper.fromJson(serializedSnapshot.getJson(), clasz);

light-eventuate-4j/eventuate-common/src/main/java/com/networknt/eventuate/common/impl/AggregateCrudMapping.java

Line 55 in 9b6cf59

return JSonMapper.fromJson(eventIdTypeAndData.getEventData(), (Class<Event>) Class.forName(eventIdTypeAndData.getEventType()));

Proof-of-concept

package org.securityReport;

import com.networknt.eventuate.common.impl.EventIdTypeAndData;

public class networkntRCE {
    public static void main(String[] args) {
        EventIdTypeAndData data = new EventIdTypeAndData();
        data.setEventType("insecureClass");
        com.networknt.eventuate.common.impl.AggregateCrudMapping.toEvent(data);
    }
}

Example was reproduced on package com.networknt:eventuate-common:2.0.11 from Maven repository.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions